Hackers are planting code on websites designed to use visitors’ computers to mine cryptocurrency. The creators of Coinhive, one of the most popular variants, say they didn’t see it coming.

Hijacking websites to mine cryptocurrency is all the rage. Over the weekend, hackers compromised a popular plugin used by thousands of websites, and tweaked it to inject code that caused visitors’ browsers to generate digital coins on the hackers’ behalf. That campaign took advantage of Coinhive, likely the most popular browser-based cryptocurrency miner at the moment, and which splits any mined cryptocurrency—in this case, Monero—with the Coinhive team.

But in an interview with Motherboard, the anonymous Coinhive developers said they didn’t quite anticipate that hackers would take advantage of their code, and acknowledged that “cryptojacking”, as the practice is sometimes called, is here to stay, at least for a while.

“We were quite overwhelmed by the extremely fast adoption,” a member of the Coinhive team told Motherboard in an email. “In hindsight, we were also quite naive in our assumptions on how the miner would be used. We thought most sites would use it openly, letting their users decide to run it for some goodies, as we did with our test implementation on pr0gramm.com before the launch. Which is not at all what happened in the first few days with Coinhive.”

The project has mined “the equivalent of a few million USD in total,” the team member said. Typically, 70 percent of that will go to the users. But Coinhive added that the recent plugin-related campaign, which also impacted US and UK government websites, only mined only 0.1 Monero, or $24—money which Coinhive says it hasn’t paid out to the attackers. Researchers have also found Coinhive embedded within a number of Android apps.

“Our strongest users have all embedded Coinhive in a meaningful way. They incentivise their users to run the miner and grant rewards for it,” the team member said.

Coinhive launched in September, and is marketed as a legitimate way for website owners to mine revenue, perhaps by replacing adverts with cryptocurrency code, or as a way to generate in-game currency for online games. Typically, in these cases, a website would be expected to clearly inform a user about the mining code. “We believe that in-browser mining could become a viable alternative to micro payments. Users pay with their CPU time and electricity in exchange for contents or services,” the team member said.

Porn sites, gambling sites, forums, and WordPress blogs all use Coinhive, they added. The team don’t specifically track domains, so if a user’s email address is not, for example, “contact@website.com,” Coinhive often don’t know where or how the service is being used, though.

To use the project’s API, users need to sign up for a Coinhive account. The Coinhive team member said they have a “strict policy” against using the service on compromised sites, and that they have banned a number of offending accounts. However, anyone could take the Javascript, mining part of Coinhive, hook it up themselves to the Monero network and run it without the need for a Coinhive account. “There are alternatives to Coinhive and the ability to self-host a server implementation, so we cannot stop all attackers,” they added.

“‘Cryptojacking’ will probably be here to stay for a while. At least until the rising difficulty in the Monero network (and others) makes it impracticable or Browser vendors somehow block CPU heavy websites,” the Coinhive team member said. They caveated that reports of malicious Coinhive use “have slowed down tremendously, as ‘hackers’ realize there's not much to gain with our service."

The wave of hackers adopting Coinhive has arguably already made the project somewhat synonymous with cybercrime.

“Just go a Google search and you’ll find all kinds of ‘How to remove Coinhive Virus’ tutorials. All Antivirus vendors have already blacklisted us,” the team member continued. “I don’t think our image could be much worse.” Coinhive thinks that anti-virus companies may have overstepped when “they report some Javascript code that is securely executed in the Browser’s sandbox as a ‘Trojan.’ It’s misleading their users and scaring them into continuously buying updates.” Instead, that job should fall to adblockers or browser-based privacy extensions, the team member added.

“Food for thought; and we only mean this half serious: embedded miners in compromised websites are usually detected way sooner than other malicious browser scripts. Website owners recognize the breach and are finally forced to update their shitty WordPress installations,” the Coinhive team member added.